Re: Risks in current privacy/security policies of accessing to the mobile orientation and motion sensors via JavaScript codes from Maryam Mehrnezhad (PGR) on 2015-08-17 (public-geolocation@w3.org from August 2015)

From: Maryam Mehrnezhad (PGR) <m.mehrnezhad@newcastle.ac.uk>
Date: Mon, 17 Aug 2015 14:57:16 +0000
To: Nicholas Doty <npdoty@ischool.berkeley.edu>, "mike@w3.org" <mike@w3.org>
CC: "public-geolocation@w3.org" <public-geolocation@w3.org>
Message-ID: <DB5PR07MB09494F2BD72AED6C25D57FFCDB7E0@DB5PR07MB0949.eurprd07.prod.outlook.com>

Hi Nick and Mike,

Thanks for the reply.  We also have informed the browser vendors too.


Updating the specification in order to describe the security and privacy considerations similar to "ambient light"

http://www.w3.org/TR/ambient-light/#security-and-privacy-considerations would be helpful.

Attacks hidden in the iframes could be dangerous too. They can be used to learn about user's sensitive information such as their physical activities and their phone calls.
Even more, we observed that some browsers including Safari report the sensor data when the browser is minimized or the screen is locked.

The current work is under the review of a related journal and we will provide the community with the official manuscript as soon as possible. You can have a look on the unpublished draft of the paper available here http://homepages.cs.ncl.ac.uk/m.mehrnezhad/TouchSignatures.pdf<http://homepages.cs.ncl.ac.uk/m.mehrnezhad/>

-Maryam

________________________________
From: Nicholas Doty <npdoty@ischool.berkeley.edu>
Sent: Tuesday, August 11, 2015 11:34 PM
To: Maryam Mehrnezhad (PGR)
Cc: public-geolocation@w3.org
Subject: Re: Risks in current privacy/security policies of accessing to the mobile orientation and motion sensors via JavaScript codes

Thanks for the info, Maryam. Have you also followed up with the affected browser vendors directly?

Based on the poster, the "other tab" instances sound the most concerning to me. We have discussed for other specifications adding a normative requirement about limiting sensor readings to the active tab or active browsing context, because of a number of different privacy leakages. (For example, events triggered by sensor activity that are triggered for background tabs can help an attacker identify that two different browsing contexts are the same user/device.) This would be an issue to address for any future iterations on this document; or, as I understand to be more likely, for the generic sensor API specification.

I'd be interested in hearing more about the intra-tab attacks (an iframe that gets notification into user activity on the embedding page) and what kinds of privacy issues might arise in those cases.

Accelerometer data is also the kind of data that can be used for cross-device leakage. For example, there are papers on inferring the content typed on one device based on the vibrations felt by another device; e.g. http://dl.acm.org/citation.cfm?id=2046771
That may be a harder problem to solve with a specification change alone, but would be worth describing in a privacy considerations section.

-Nick

On Aug 10, 2015, at 6:08 AM, Maryam Mehrnezhad (PGR) <m.mehrnezhad@newcastle.ac.uk<mailto:m.mehrnezhad@newcastle.ac.uk>> wrote:


Dear Sir/ Madam,

I am writing to you on behalf of a team of researchers in mobile security from Newcastle University, UK. Based on our recent work, we have identified vulnerabilities in the current privacy/security policies of accessing to mobile orientation and motion sensors via JavaScript codes specified here (http://www.w3.org/TR/orientation-event/).

The results of our work show that it is possible to infer user's touch actions such as click, scroll, and zoom, as well as his PINs based on the sensor streams accessible through different mainstream mobile browsers. These browsers have implemented this feature according to the W3C device orientation event specification.

A preliminary version of our work is already published here (http://dl.acm.org/citation.cfm?id=2714650). The detailed version of the paper including attacks on user's PINs will be published soon.

We would be very happy to provide you with more information in regards to this problem.


Best Regards,
Maryam Mehrnezhad
PhD Student in Computing Science
Centre of Software Reliability (CSR), Claremont tower
School of Computing Science, Newcastle University
http://www.ncl.ac.uk/csr/people/student/m.mehrnezhad
Newcastle Upon Tyne, UK
NE1 7RU
Email: m.mehrnezhad@ncl.ac.uk<mailto:m.mehrnezhad@ncl.ac.uk>
Telephone: +44 191 208 5153
Fax: +44 191 208 8232

Received on Monday, 17 August 2015 14:58:39 UTC